FTC and Data Privacy Compliance

Patrick Kellermanfrom LeClairRyan (Patrick’s profile is here) responds to an article in Forbes asking if the recent $22.5 million FTC – Google settlement does more harm than good. A copy of the Forbes article is here.

First, some background information: The FTC alleged Google violated the Consent Order reached in the Google Buzz settlement by misrepresenting its tracking cookie practices pertaining to users of the Safari browser. Here are some basic definitions: A browser is the program used to surf the internet. A cookie is a computer code used to collect information about an internet user’s surfing activity. First-party cookies come from a site visited by the user. Third-party cookies come from a site other than the one visited, usually, for example, through an advertisement.

Safari, Apple’s internet browser, blocks third party tracking cookies as the default setting except in limited situations. Google allows users to opt-out from receiving third-party cookies but for technical reasons, the opt-out feature does not work with the Safari browser. Google’s privacy statement said Safari’s controls “effectively accomplish the same thing” as Google’s opt-out. According to the FTC Complaint, Google “overrode the Safari default browser setting” and placed third party cookies on Safari browsers.

In the stipulated facts of the proposed settlement agreed to by Google and the FTC, Google denied any violation of the FTC Order, and all liability and material allegations in the Complaint.

Below is Patrick’s response to the Forbes article:

I agree it is important to think of how best to incentivize and reward transparency, keeping in mind evolving technologies, innovation, and other advantages to consumers. Considering the FTC and plaintiffs’ increasing focus on online privacy violations, businesses with an internet presence must think of how best to mitigate exposure.

We must be careful when framing any discussion in the very complex field of digital privacy. Yes, the charges against Google rely on its privacy disclosures. But the crux of the complaint was the company’s alleged failure to adhere to promises made to consumers in those disclosures. According to the FTC complaint, the company told users of Apple’s Safari browser—which prevents tracking by third-party cookies—they would not be tracked, but allegedly circumvented those controls and placed tracking cookies on Safari users’ systems.

Those participating in the consumer privacy debate must be cautious and measured. You note that companies “may well look at this result and decide that the legally cautious thing to do is to be as vague and imprecise as possible in their privacy statements.” I do not doubt that even compliance-minded entities may consider this route. And the article certainly does not promote this avenue.

But in plain terms from a practicing white collar / data-privacy attorney: vague and imprecise privacy statements are not an option. This will not protect a company. This will lead to closer scrutiny, subject a company to higher fines or more severe punishment by the FTC, and may also invite private lawsuits, including class actions.

Instead, any company that collects consumer information must ask: What do we collect? How do we store it? With whom do we share it? And what do we say about our collection, storage and distribution practices?